-
Notifications
You must be signed in to change notification settings - Fork 0
Migrating PKI Server
|
Warning
|
This page is still under construction. |
This page describes the process to migrate the PKI server in an IPA server to another machine.
This page assumes that the IPA server was already installed in ipa.example.com and the PKI server will be migrated to pki.example.com which has been configured as an IPA client.
$ pki-server stop --wait
Back up PKI server with the following command:
$ tar czvf pki-tomcat.tar.gz \
-C / \
etc/pki/pki-tomcat \
etc/sysconfig/pki-tomcat \
etc/sysconfig/pki/tomcat/pki-tomcat \
etc/systemd/system/pki-tomcatd.target.wants/[email protected] \
var/lib/pki/pki-tomcat \
var/log/pki/pki-tomcat
Transfer the pki-tomcat.tar.gz to pki.example.com, then unpack the file:
$ tar xzvf pki-tomcat.tar.gz -C /
$ pki-server ca-config-unset proxy.securePort $ pki-server ca-config-unset proxy.unsecurePort
$ pki-server ca-config-set internaldb.ldapconn.host ipa.example.com $ pki-server ca-config-set internaldb.ldapconn.port 389 $ pki-server ca-config-set internaldb.ldapconn.secureConn false
To configure basic authentication:
$ pki-server ca-config-unset internaldb.ldapauth.clientCertNickname $ pki-server ca-config-set internaldb.ldapauth.authtype BasicAuth $ pki-server ca-config-set internaldb.ldapauth.bindDN "cn=Directory Manager" $ pki-server ca-config-set internaldb.ldapauth.bindPWPrompt internaldb
To store the password:
$ pki-server password-add internaldb --password Secret.123
$ pki-server ca-config-unset dbs.beginRequestNumber $ pki-server ca-config-unset dbs.endRequestNumber $ pki-server ca-config-unset dbs.requestIncrement $ pki-server ca-config-unset dbs.requestLowWaterMark $ pki-server ca-config-unset dbs.requestCloneTransferNumber $ pki-server ca-config-unset dbs.requestRangeDN $ pki-server ca-config-set dbs.request.id.generator random $ pki-server ca-config-set dbs.request.id.length 128
$ pki-server ca-config-unset dbs.beginSerialNumber $ pki-server ca-config-unset dbs.endSerialNumber $ pki-server ca-config-unset dbs.serialIncrement $ pki-server ca-config-unset dbs.serialLowWaterMark $ pki-server ca-config-unset dbs.serialCloneTransferNumber $ pki-server ca-config-unset dbs.serialRangeDN $ pki-server ca-config-unset dbs.enableRandomSerialNumbers $ pki-server ca-config-unset dbs.randomSerialNumberCounter $ pki-server ca-config-set dbs.cert.id.generator random $ pki-server ca-config-set dbs.cert.id.length 128
$ pki-server ca-config-set securitydomain.host pki.example.com
To remove the old SSL server certificate:
$ certutil -D \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/alias/pwdfile.txt \
-n "Server-Cert cert-pki-ca"
To generate a new SSL server certificate:
$ pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
nss-cert-request \
--subject "CN=pki.example.com,OU=pki-tomcat,O=EXAMPLE" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
$ pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
nss-cert-issue \
--issuer "caSigningCert cert-pki-ca" \
--csr sslserver.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert sslserver.crt
$ pki \
-d /etc/pki/pki-tomcat/alias \
-f /etc/pki/pki-tomcat/password.conf \
nss-cert-import \
--cert sslserver.crt \
"Server-Cert cert-pki-ca"
To update the certificate request:
$ openssl req \
-outform der \
-in sslserver.csr \
-out sslserver.csr.der
$ CSR=$(cat sslserver.csr.der | base64 -w 0)
$ pki-server ca-config-set ca.signing.certreq "$CSR"
To update the certificate:
$ openssl x509 \
-outform der \
-in sslserver.crt \
-out sslserver.crt.der
$ CERT=$(cat sslserver.crt.der | base64 -w 0)
$ pki-server ca-config-set ca.sslserver.cert "$CERT"
To import the certificate request:
$ pki-server ca-cert-request-import \
--csr sslserver.csr \
--profile serverCert.profile
To import the certificate:
$ pki-server ca-cert-import \
--cert sslserver.crt \
--profile serverCert.profile \
--request <request ID>
To remove the old subsystem:
$ pki-server \
sd-host-del \
"CA ipa.example.com 443"
Note: Use port 443 since the old PKI server sits behind IPA HTTP proxy.
To add the new subsystem:
$ pki-server \
sd-host-add \
--subsystem CA \
--hostname pki.example.com \
--secure-port 8443 \
--domain-manager \
"CA pki.example.com 8443"
Note: Use port 8443 since the new PKI server does not sit behind IPA HTTP proxy.
To remove the old subsystem user:
$ pki-server \
ca-user-del \
CA-ipa.example.com-8443
To add a new subsystem user:
$ pki-server \
ca-user-add \
--full-name "CA-pki.example.com-8443" \
--type agentType \
--state 1 \
CA-pki.example.com-8443
To assign the subsystem certificate to the new subsystem user:
$ cat subsystem.crt | pki-server \
ca-user-cert-add \
CA-pki.example.com-8443
$ systemctl daemon-reload $ pki-server start --wait
$ sed \
-i 's/localhost/pki\.example\.com/g' \
/etc/httpd/conf.d/ipa-pki-proxy.conf
Edit /usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py as follows:
@register()
class ra(rabase.rabase, RestClient):
...
def find(self, options):
...
status, _, data = dogtag.https_request(
# self.ca_host, 443,
'pki.example.com', 8443,
url='/ca/rest/certs/search?size=%d' % (
options.get('sizelimit', 0x7fffffff)),
...
)
This change can also be done with this command:
$ sed \
-i "s/self\.ca_host, 443,/'pki.example.com', 8443,/g" \
/usr/lib/python3.11/site-packages/ipaserver/plugins/dogtag.py
$ systemctl restart httpd
$ ipa cert-find
-
Add CLIs that are not available yet
-
Do not hardcode hostname
-
Supports other IPA operations (e.g. cert enrollment)
-
Replace AJP with HTTPS
-
Migrate DS Server